Is Your Business Following Password Guidelines?

Your birthday. The name of a beloved, departed pet. The word ‘Password.’ The word ‘Password,’ but with a string of numbers after it. What do all of these have in common? They’re all ludicrously common computer passwords, all ludicrously easy to remember…and ludicrously easy to crack should your organization be targeted by hackers or digital thieves. 

Harping on secure passwords for your workplace may at times seem silly or unnecessary, but the truth of the matter is that when it comes to data protection, passwords are the first line of defense. In this article, we’ll look at different existing organizational password policies, as well as some ways your organization can utilize these guidelines to keep the secure information your company safeguards as protected as possible. 

Password Guidelines

Different industry researchers and regulatory bodies regularly release password guidelines, meant to help organizations prevent security breaches and cyberattacks. Here are some different agencies and the password guidelines they espouse.

National Institute of Standards and Technology

NIST, a non-regulatory agency of the Department of Commerce, recommends passwords between 8 and 64 characters long—the longer the better—with nonstandard characters. They also recommend a password strength meter, and that prospective passwords be checked against a list of common or compromised passwords. NIST does not have recommendations for complexity or password expiration requirements, but does recommend multi-factor authentication (MFA).

Center for Internet Security

CIS password guidelines recommend a minimum length of 14-characters for passwords, or a minimum of 8 characters for accounts protected by multi-factor authentication, with no maximum limit. They recommend changing passwords immediately in the event of a breach, as well as checking new passwords against a list of previously used passwords, as well as known, common, and weak passwords. 

HIPAA Security Rule 

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a law requiring national standards on protecting patient health information from being disclosed without the patient’s knowledge or consent. With regards to password management, The HIPAA Security Rule requires that entities should implement policies for “creating, changing, and safeguarding passwords,” and recommends that businesses train their workforces on guidelines for creating and changing passwords.  

Password Best Practices

Based on these guidelines, here are some basic practices that can help make passwords in your workplace more secure. 

Don’t Keep it Too Simple

The longer a password, the longer it takes a hacker to break! Strong passwords should be a minimum of 12 characters long. They should also be random, using a mixture of upper-and-lower-case letters, symbols, and/or numbers. Encourage employees to avoid using significant names, dates, or places in their passwords. It may even be useful to have employees look up lists of the most common passwords, and avoid using those examples themselves. 

Don’t Reduce, Reuse, or Recycle 

Strong passwords should also be unique! Avoid using the same password for multiple accounts. Reusing can be risky; if an employee uses the same password for all of their accounts, a data breach somewhere else could suddenly put their protected work information at risk. Recycling passwords can be risky as well. Strong password policies should encourage employees to set new passwords after set periods of time, and prohibit reusing the previous password. 

Also encourage employees to immediately change passwords every time there is an event where data is compromised, or even the risk of one. 

Password Managers Are Your Friend 

A long, randomized password that you can’t reuse anywhere else might not sound like the easiest thing to remember. Many organizations with strong password policies also use a password manager to help maintain cybersecurity. Password managers are extremely helpful for creating and storing strong passwords. Good password managers are also secure, undergoing multiple tests, reviews and third-party audits.

Stay Secure with CompanyMileage

Updating your organization’s password policy and encouraging your employees to comply is a simple, effective way you and your employees can help keep the important data you protect as safe as possible. However, protected passwords shouldn’t be the only line of defense!

At CompanyMileage, we know how important security is, especially for organizations in the healthcare and other related industries. That’s why we make cybersecurity a top priority, with a three-tiered system in place to protect our customers. 

In the first tier, we incorporate a multi-level approach to ensure data is protected at every level. This includes table-level encryption, password rotation management, and compliance with PCI DSS, HIPAA, HITECH, FISMA and other regulatory guidelines. Our second tier focuses on maintaining the security of facilities and hardware. To this end, we have separately managed and monitored primary and synchronized servers that are backed up and serviced daily.

Finally, we’ve implemented robust privacy policies to protect access to client data. As part of this third tier, our policies prohibit the sharing of client data without written authorization from the client themselves and ensure that our own data systems are securely stored and accessible only by authorized company officials.

While strong password policies help your employees stay secure within your own company, you also want to make sure the technology partners you work with are doing their part to keep data safe and secure. To learn more about CompanyMileage’s safe, secure and easy-to-use mileage tracking software, request a demo today!